NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-42945 exposes a heap buffer overflow in NGINX Plus and NGINX Open Source through ngx_http_rewrite_module, creating risk of unauthenticated remote code execution or denial of service. The flaw is triggered by crafted HTTP requests under specific rewrite/PCRE capture conditions. F5 has issued fixes, and affected deployments should treat the issue as critical.
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
How related:
The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell,
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveHow related: The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell,
About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
How related:
For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationHow related: For those unable to upgrade, F5 recommends replacing unnamed PCRE capture groups ($1, $2, etc.) in vulnerable ‘rewrite’ rules with named captures, which eliminates the main exploitation prerequisite.
About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
CISA KEV patch directive for CVE-2025-53521
Advisory/Mitigation
First: 30.03.2026 10:07
Last: 30.03.2026 10:07
Sources 1
About this happening:
CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
CISA KEV patch directive for CVE-2025-53521
Advisory/MitigationAbout this happening: CISA added **CVE-2025-53521** to its **KEV catalog** and told **federal agencies** to patch the F5 BIG-IP flaw within **three days**. The directive is urgent because the bug is be...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector Action
First: 17.03.2026 07:23
Last: 17.03.2026 07:23
Sources 1
About this happening:
CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
CISA KEV listing for Wing FTP CVE-2025-47813
Public Sector ActionAbout this happening: CISA added **CVE-2025-47813** in **Wing FTP Server** to the **KEV catalog** after evidence of **active exploitation**, putting the flaw under formal government tracking. The listi...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware Activity
First: 05.02.2026 01:26
Last: 05.02.2026 01:26
Sources 1
About this happening:
A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
NGINX hijack toolkit that injects configs and exfiltrates mapping data
Malware ActivityAbout this happening: A **scripted multi-stage toolkit** is automating **NGINX configuration injection**, **service reloads**, and **C2 exfiltration** to hijack traffic on compromised hosts. The toolki...
Timeline
-
14.05.2026 09:00 2 articles · 13d ago
Responsible disclosure and fixes for CVE-2026-42945
Mitigation Patch UpdateF5 addressed CVE-2026-42945 after responsible disclosure on April 21, 2026, with fixes introduced in NGINX Plus R32 P6 and R36 P4 and in NGINX Open Source 1.30.1 and 1.31.0; if immediate patching is not possible, affected rewrite directives should replace unnamed PCRE captures with named captures.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00
- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE — thehackernews.com — 17.05.2026 14:57
-
14.05.2026 09:00 1 articles · 13d ago
Public disclosure of multiple NGINX vulnerabilities
Initial DisclosureCybersecurity researchers and F5 publicly disclosed multiple vulnerabilities in NGINX Plus and NGINX Open Source on May 14, 2026, led by CVE-2026-42945 / NGINX Rift, a critical heap buffer overflow in ngx_http_rewrite_module that can allow unauthenticated remote code execution or denial of service through crafted HTTP requests under specific rewrite and PCRE capture conditions; the advisory also listed CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934.
Show sources
- 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE — thehackernews.com — 14.05.2026 09:00